Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing Kubernetes Misconfigurations

Komodor
April 24, 2022
Technology
0
69

Preventing Kubernetes Misconfigurations

Joint webinar co-hosted by Datree and Komodor, featuring Komodor's CTO Itiel Shwartz and CEO of Datree Shimon Tolts

Komodor

April 24, 2022
Tweet

More Decks by Komodor

See All by Komodor
Nemlig.com's Multi-Cluster DNS Setup
komodor
0
72
Making Kubernetes Dev-Friendly with Komodor & Okteto
komodor
0
110
Unlocking Developer's Efficiency with Komodor & Loft
komodor
0
68
May the Fork Be with You: Community Contributed Open Source Projects FTW!
komodor
0
75
Shine a Light on K8s Blindspots With Komodor and Anodot
komodor
0
57
ArgoCD for K8s Done Right
komodor
0
30
Hardcore K8s
komodor
0
41
Defying the Odds: Building Robust and Safe Workloads
komodor
0
33
How to Cope When Kubernetes Misbehaves
komodor
0
78

Other Decks in Technology

See All in Technology
QAエンジニアが伝えたい品質保証の羅針盤 / Compass for Quality Assurance
mii3king
1
330
Cloudflare WorkersがPythonに対応したので試してみた
miura55
0
190
#phpconkagawa レガシーコードにもオブザーバビリティを 〜少しずつ始めるサービス監視〜
yamato_sorariku
0
550
SWC Transformerから見るTypeScript関数記述ベストプラクティス
fujiyamaorange
1
170
LINEヤフーのウェブアクセシビリティ
lycorptech_jp
PRO
2
170
回り回って効いてくる副次的効果としての技術広報/techpr
nishiuma
1
180
汎用ポリシー言語Rego + OPAと認可・検証事例の紹介 / Introduction Rego & OPA for authorization and validation
mizutani
1
150
Blazor WASM × Code-first gRPC で始める C# ⼤統⼀理論
sansantech
PRO
1
360
使われないものを作るな!出口から作るデータ分析基盤 / Data Platform Development Starting from the User Needs
amaotone
16
4.6k
【TSkaigi】2024/05/11 当日スライド
kimitashoichi
14
3.9k
「知的単純作業」を自動化する、地に足の着いた大規模言語モデル (LLM) の活用
nrryuya
8
8.2k
サービス開発におけるVue3とTypeScriptの親和性について
tsukuha
10
1.8k

Featured

See All Featured
The Cult of Friendly URLs
andyhume
74
5.7k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
41
4.5k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
123
39k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
The Straight Up "How To Draw Better" Workshop
denniskardys
228
130k
Infographics Made Easy
chrislema
238
18k
Music & Morning Musume
bryan
41
5.6k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
8
3.5k
RailsConf 2023
tenderlove
9
580

Transcript

  1. None
  2. None

  3. 3

  4. Prevent Kubernetes misconfigurations from reaching production https://github.com/datreeio/datree

  5. None

  6. Agenda 3. Why policies are important 4. Cool tools you

    can use to prevent it from happening to you 1. Kubernetes failures stories 2. Post mortems & Lessons learned

  7. Top Kubernetes failures | EVENT 1 failing CronJob created 4320

    “Restarting” pods X LESSON Verify concurrencyPolicy is always set to either “Forbid” or “Replace” ✓ TARGET 5 #4 apiVersion: batch/v1beta1 kind: CronJob metadata: name: gke-cron-job spec: schedule: '*/1 * * * *' startingDeadlineSeconds: 10 concurrencyPolicy: Allow

  8. Top Kubernetes failures | EVENT Their API server was down

    due to OOM issues X LESSON Always ensure that Kubernetes YAML structure is valid, ideally through automated checks. ✓ concurrencyPolicy: Forbid successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 ZALANDO 5 #3

  9. Top Kubernetes failures | EVENT Entire cluster was down due

    to OOM issues and high memory usage X LESSON Specify requests and limits. Especially for third-party services and apps ✓ BLUE MATADOR 5 #2

  10. Top Kubernetes failures | EVENT An entire cluster was down

    due to Ingress misconfiguration X LESSON Prevent users from specifying host as “*” ✓ TARGET 5 #1

  11. Top Kubernetes failures | Lessons learned 1 Missing YAML structure

    validation Zalando 2 Enforce policy on requests and limits Blue Matador Enforce concurrencyPolicy set to Allow Target 3 Conclusions Enforce ‘*’ in ingress resource Target 4

  12. Top Kubernetes failures |

  13. Cool tools that you can use | Where in the

    pipeline? datree gatekeeper confTest

  14. Cool tools that you can use | Where in the

    pipeline? datree confTest gatekeeper

  15. Cool tools that you can use | Conftest Helps writing

    tests against structured files It’s specially designed to be used with CI or local testing. Built on top of OPA so all the policies should be written in Rego.

  16. Datree CLI solution for policies enforcement It’s specially designed to

    be used with CI or local testing or even as a pre-commit hook Built in policies & Best practices It’s comes with built-in policies ansl enables K8s admis create their own policies and centralized management.

  17. Datree

  18. Datree

  19. Datree

  20. Cool tools that you can use | Datree Open source

    It’s free, and open for PRs 😎

  21. Summary

  22. 22